A widely reported WiFi vulnerability is significant, but its bark is far worse …

Share this story

The latest hole in WiFi security is quite serious, but it's unlikely to cause widespread disruption in the corporate and government networks for which it would have the potential to cause the biggest headaches.

In fact, the exploit continues to demonstrate a lack of any effective method of cracking the WiFi Alliance WPA/WPA2 certified versions of IEEE encryption standards found in WiFi gear of the past seven years. Brute force and dictionary attacks against short passphrases used typically on home and small-business networks are still the only means of key recovery.

As AirTight Networks' Dr. Kaustubh Phanse, the firm's principal wireless architect, said, "We are not talking about any key cracking; we are not talking about any brute-force authentication." An AirTight researcher documented this problem, and presented his results at a demonstration at Black Hat Arsenal and Defcon 18 this week in Las Vegas.

The so-called "Hole196," dubbed by its documenter at AirTight Networks, is a description and demonstration of a known problem, shown in its full glory. The exploit arises directly out of the IEEE 802.11i spec later incorporated into 802.11-2007, the latest complete version of the standard. This contrasts with a driver- or implementation-specific weakness.

After a briefing with AirTight and discussing the flaw with several security researchers familiar with it, it's clear that the bark is worse than the bite. It sounds bad, and is bad, but has little chance of becoming a new vector.

Let's start with the scope before I explain the hole.

The scope of Hole196

To take advantage of the exploit, an attacker must be an authorized user on a WiFi network using WiFi Protected Access security (WPA or WPA2 versions), which rely on TKIP (WPA) or AES-CCMP (WPA2) encryption key types. The key is not cracked in this exploit.

On networks that use a preshared key, as in WPA/WPA2 Personal, the attack is largely meaningless. Because each user shares the same key, a malicious user already has the means necessary to sniff the network to extract other users' temporal keys, and thus intercept all the traffic. And such networks aren't typically protected in any other fashion from simpler internal attacks, anyway.

Rather, this exploit has the potential to pierce through WPA/WPA2 Enterprise, which relies on the port-based access control protocol 802.1X. In 802.1X, a router (whether WiFi or an Ethernet switch) allows a client to connect in an extremely limited fashion to pass credentials. The switch or router blocks access to the rest of the network until credentials are authorized.

Those who deploy 802.1X can opt to require a simple user name and password combination, which becomes susceptible to brute-force attacks unless the system is monitoring for those, or social engineering ("hey, this is Jim from Accounting; what's my password again?), or even laziness—having account information written down where someone can find it.

Some corporations obviate the risk of unauthorized users logging in over 802.1X by relying on client-side certificates, which are issued uniquely and installed on laptops and other devices, and can't be forged. Two-factor authentication—where the account and password are supplemented by a regularly changing code displayed on a fob that the user must manually enter, or by a card that's swiped on a USB or integral card reader that has the same effect without displaying the code—is used much less commonly to protect login data.

The risk comes primarily from legitimate network users engaged in espionage, theft, or denial of service. Many attacks against corporate and government secrets come from inside a company, where protections are often drastically less than those at the demarcation with the Internet. This attack may add to the bag of tricks for such insiders, although there's still plenty to mitigate their ability to execute.

With those provisos in mind about who can exploit the hole, let's take a look at its innards.

Peering down Hole196

In a secured WPA/WPA2 Enterprise network, each user, when authenticated, has unique master key material generated for them. The master key is combined with random numbers from the authentication negotiation to create specific keys used for protecting packets, handling packet integrity to prevent spoofing and injecting, and other tasks.

But each client is also handed a Group Temporal Key (GTK). The GTK is required for clients to receive broadcast and multicast messages from the access point (AP). The GTK is identical for all users on a given BSSID (basic service set ID), which uses a number in the same format as a MAC address. A BSSID is unique for each access point; it's also unique for each virtual SSID on an access point, for companies that use multiple network names combined with virtual LANs to segregate traffic.

The AP is the only entity on the network that is supposed to emit packets encrypted by the GTK. But the Hole196 exploit relies on a note on page 196 of IEEE 802.11-2007:

NOTE: Pairwise key support with TKIP or CCMP allows a receiving STA to detect MAC address spoofing and data forgery. The RSNA architecture binds the transmit and receive addresses to the pairwise key. If an attacker creates an MPDU with the spoofed TA, then the decapsulation procedure at the receiver will generate an error. GTKs do not have this property.

The note explains that the pairwise temporal key (PTK), unique for each client (STA or station) on the network, can be used to validate that the transmitting address (TA) isn't being spoofed.

A similar reference can be found on page 38:

Data origin authenticity is only applicable to unicast data frames. The protocols do not guarantee data origin authenticity for broadcast/multicast data frames, as this cannot be accomplished using symmetric keys and public key methods are too computationally expensive.

GTK-encrypted broadcast packets thus can't be trusted. A client on a given BSSID can create and send broadcast packets encrypted via the GTK that the AP ignores, because it only sends and does not receive broadcast messages. The packets can have the AP's address as the transmitter, and all other clients will receive such packets without being able to authenticate whether the AP transmits them or not.

That allows a malicious authorized user to attempt ARP (Address Resolution Protocol) poisoning, which can be used to fool other clients on the network to transmit their traffic to a specified machine as a gateway instead of to the AP. (ARP messages are used to associated network MAC addresses with IP addresses. An attacker transmits unrequested broadcast messages to try to force a client to rewrite an internal cached table of such associations.)